source-git / nftables

Clone
Source Code
GIT

Blame doc/data-types.txt

c8 c8s master
  1.   c8s
  2.   doc
  3.   data-types.txt
Blob History Raw
Packit c5a612 
INTEGER TYPE
Packit c5a612 
~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|Integer |
Packit c5a612 
integer |
Packit c5a612 
variable |
Packit c5a612 
-
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The integer type is used for numeric values. It may be specified as a decimal,
Packit c5a612 
hexadecimal or octal number. The integer type does not have a fixed size, its
Packit c5a612 
size is determined by the expression for which it is used.
Packit c5a612
Packit c5a612 
BITMASK TYPE
Packit c5a612 
~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|Bitmask |
Packit c5a612 
bitmask |
Packit c5a612 
variable |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The bitmask type (*bitmask*) is used for bitmasks.
Packit c5a612
Packit c5a612 
STRING TYPE
Packit c5a612 
~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|String |
Packit c5a612 
string |
Packit c5a612 
variable |
Packit c5a612 
-
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The string type is used for character strings. A string begins with an
Packit c5a612 
alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
Packit c5a612 
or the characters /, -, _ and .. In addition, anything enclosed in double
Packit c5a612 
quotes (") is recognized as a string.
Packit c5a612
Packit c5a612 
.String specification
Packit c5a612 
----------------------
Packit c5a612 
# Interface name
Packit c5a612 
filter input iifname eth0
Packit c5a612
Packit c5a612 
# Weird interface name
Packit c5a612 
filter input iifname "(eth0)"
Packit c5a612 
----------------------------
Packit c5a612
Packit c5a612 
LINK LAYER ADDRESS TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|Link layer address |
Packit c5a612 
lladdr|
Packit c5a612 
variable |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The link layer address type is used for link layer addresses. Link layer
Packit c5a612 
addresses are specified as a variable amount of groups of two hexadecimal digits
Packit c5a612 
separated using colons (:).
Packit c5a612
Packit c5a612 
.Link layer address specification
Packit c5a612 
----------------------
Packit c5a612 
# Ethernet destination MAC address
Packit c5a612 
filter input ether daddr 20:c9:d0:43:12:d9
Packit c5a612 
----------------------------
Packit c5a612
Packit c5a612 
IPV4 ADDRESS TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|IPV4 address|
Packit c5a612 
ipv4_addr|
Packit c5a612 
32 bit|
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The IPv4 address type is used for IPv4 addresses. Addresses are specified in
Packit c5a612 
either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal,
Packit c5a612 
octal notation or as a host name. A host name will be resolved using the
Packit c5a612 
standard system resolver.
Packit c5a612
Packit c5a612 
.IPv4 address specification
Packit c5a612 
----------------------
Packit c5a612 
# dotted decimal notation
Packit c5a612 
filter output ip daddr 127.0.0.1
Packit c5a612
Packit c5a612 
# host name
Packit c5a612 
filter output ip daddr localhost
Packit c5a612 
----------------------------
Packit c5a612
Packit c5a612 
IPV6 ADDRESS TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|IPv6 address|
Packit c5a612 
ipv6_addr|
Packit c5a612 
128 bit|
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The IPv6 address type is used for IPv6 addresses. Addresses are specified as a
Packit c5a612 
host name or as hexadecimal halfwords separated by colons. Addresses might be
Packit c5a612 
enclosed in square brackets ("[]") to differentiate them from port numbers.
Packit c5a612
Packit c5a612 
.IPv6 address specification
Packit c5a612 
----------------------
Packit c5a612 
# abbreviated loopback address
Packit c5a612 
filter output ip6 daddr ::1
Packit c5a612 
----------------------------
Packit c5a612
Packit c5a612 
.IPv6 address specification with bracket notation
Packit c5a612 
----------------------
Packit c5a612 
# without [] the port number (22) would be parsed as part of the
Packit c5a612 
# ipv6 address
Packit c5a612 
ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
Packit c5a612 
----------------------------
Packit c5a612
Packit c5a612 
BOOLEAN TYPE
Packit c5a612 
~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|Boolean |
Packit c5a612 
boolean |
Packit c5a612 
1 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The boolean type is a syntactical helper type in userspace. Its use is in the
Packit c5a612 
right-hand side of a (typically implicit) relational expression to change the
Packit c5a612 
expression on the left-hand side into a boolean check (usually for existence). +
Packit c5a612
Packit c5a612 
.The following keywords will automatically resolve into a boolean type with given value
Packit c5a612
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword | Value
Packit c5a612 
|exists |
Packit c5a612 
1 |
Packit c5a612 
missing |
Packit c5a612 
0
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
.expressions support a boolean comparison
Packit c5a612 
[options="header"]
Packit c5a612 
|======================================
Packit c5a612 
|Expression | Behaviour
Packit c5a612 
|fib |
Packit c5a612 
Check route existence.
Packit c5a612 
|exthdr|
Packit c5a612 
Check IPv6 extension header existence.
Packit c5a612 
|tcp option |
Packit c5a612 
Check TCP option header existence.
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
.Boolean specification
Packit c5a612 
----------------------
Packit c5a612 
# match if route exists
Packit c5a612 
filter input fib daddr . iif oif exists
Packit c5a612
Packit c5a612 
# match only non-fragmented packets in IPv6 traffic
Packit c5a612 
filter input exthdr frag missing
Packit c5a612
Packit c5a612 
# match if TCP timestamp option is present
Packit c5a612 
filter input tcp option timestamp exists
Packit c5a612 
------------------------------------------
Packit c5a612
Packit c5a612 
ICMP TYPE TYPE
Packit c5a612 
~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|ICMP Type |
Packit c5a612 
icmp_type |
Packit c5a612 
8 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612 
The ICMP Type type is used to conveniently specify the ICMP header's type field.
Packit c5a612
Packit c5a612 
.Keywords may be used when specifying the ICMP type
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword | Value
Packit c5a612 
|echo-reply |
Packit c5a612 
0
Packit c5a612 
|destination-unreachable |
Packit c5a612 
3
Packit c5a612 
|source-quench|
Packit c5a612 
4
Packit c5a612 
|redirect|
Packit c5a612 
5
Packit c5a612 
|echo-request|
Packit c5a612 
8
Packit c5a612 
|router-advertisement|
Packit c5a612 
9
Packit c5a612 
|router-solicitation|
Packit c5a612 
10
Packit c5a612 
|time-exceeded|
Packit c5a612 
11
Packit c5a612 
|parameter-problem|
Packit c5a612 
12
Packit c5a612 
|timestamp-request|
Packit c5a612 
13
Packit c5a612 
|timestamp-reply|
Packit c5a612 
14
Packit c5a612 
|info-request|
Packit c5a612 
15
Packit c5a612 
|info-reply|
Packit c5a612 
16
Packit c5a612 
|address-mask-request|
Packit c5a612 
17
Packit c5a612 
|address-mask-reply|
Packit c5a612 
18
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
.ICMP Type specification
Packit c5a612 
------------------------
Packit c5a612 
# match ping packets
Packit c5a612 
filter output icmp type { echo-request, echo-reply }
Packit c5a612 
------------------------
Packit c5a612
Packit c5a612 
ICMP CODE TYPE
Packit c5a612 
~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|ICMP Code |
Packit c5a612 
icmp_code |
Packit c5a612 
8 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The ICMP Code type is used to conveniently specify the ICMP header's code field.
Packit c5a612
Packit c5a612 
.Keywords may be used when specifying the ICMP code
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword | Value
Packit c5a612 
|net-unreachable |
Packit c5a612 
0
Packit c5a612 
|host-unreachable |
Packit c5a612 
1
Packit c5a612 
|prot-unreachable|
Packit c5a612 
2
Packit c5a612 
|port-unreachable|
Packit c5a612 
3
Packit c5a612 
|net-prohibited|
Packit c5a612 
9
Packit c5a612 
|host-prohibited|
Packit c5a612 
10
Packit c5a612 
|admin-prohibited|
Packit c5a612 
13
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
ICMPV6 TYPE TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|ICMPv6 Type |
Packit c5a612 
icmpx_code |
Packit c5a612 
8 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The ICMPv6 Type type is used to conveniently specify the ICMPv6 header's type field.
Packit c5a612
Packit c5a612 
.keywords may be used when specifying the ICMPv6 type:
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword | Value
Packit c5a612 
|destination-unreachable |
Packit c5a612 
1
Packit c5a612 
|packet-too-big|
Packit c5a612 
2
Packit c5a612 
|time-exceeded|
Packit c5a612 
3
Packit c5a612 
|parameter-problem|
Packit c5a612 
4
Packit c5a612 
|echo-request|
Packit c5a612 
128
Packit c5a612 
|echo-reply|
Packit c5a612 
129
Packit c5a612 
|mld-listener-query|
Packit c5a612 
130
Packit c5a612 
|mld-listener-report|
Packit c5a612 
131
Packit c5a612 
|mld-listener-done |
Packit c5a612 
132
Packit c5a612 
|mld-listener-reduction|
Packit c5a612 
132
Packit c5a612 
|nd-router-solicit |
Packit c5a612 
133
Packit c5a612 
|nd-router-advert|
Packit c5a612 
134
Packit c5a612 
|nd-neighbor-solicit|
Packit c5a612 
135
Packit c5a612 
|nd-neighbor-advert|
Packit c5a612 
136
Packit c5a612 
|nd-redirect|
Packit c5a612 
137
Packit c5a612 
|router-renumbering|
Packit c5a612 
138
Packit c5a612 
|ind-neighbor-solicit|
Packit c5a612 
141
Packit c5a612 
|ind-neighbor-advert|
Packit c5a612 
142
Packit c5a612 
|mld2-listener-report|
Packit c5a612 
143
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
.ICMPv6 Type specification
Packit c5a612 
--------------------------
Packit c5a612 
# match ICMPv6 ping packets
Packit c5a612 
filter output icmpv6 type { echo-request, echo-reply }
Packit c5a612 
--------------------------
Packit c5a612
Packit c5a612 
ICMPV6 CODE TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|ICMPv6 Code |
Packit c5a612 
icmpv6_code |
Packit c5a612 
8 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The ICMPv6 Code type is used to conveniently specify the ICMPv6 header's code field.
Packit c5a612
Packit c5a612 
.keywords may be used when specifying the ICMPv6 code
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword |Value
Packit c5a612 
|no-route|
Packit c5a612 
0
Packit c5a612 
|admin-prohibited|
Packit c5a612 
1
Packit c5a612 
|addr-unreachable|
Packit c5a612 
3
Packit c5a612 
|port-unreachable|
Packit c5a612 
4
Packit c5a612 
|policy-fail|
Packit c5a612 
5
Packit c5a612 
|reject-route|
Packit c5a612 
6
Packit c5a612 
|==================
Packit c5a612
Packit c5a612 
ICMPVX CODE TYPE
Packit c5a612 
~~~~~~~~~~~~~~~~
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword | Size | Base type
Packit c5a612 
|ICMPvX Code |
Packit c5a612 
icmpv6_type |
Packit c5a612 
8 bit |
Packit c5a612 
integer
Packit c5a612 
|===================
Packit c5a612
Packit c5a612 
The ICMPvX Code type abstraction is a set of values which overlap between ICMP
Packit c5a612 
and ICMPv6 Code types to be used from the inet family.
Packit c5a612
Packit c5a612 
.keywords may be used when specifying the ICMPvX code
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword |Value
Packit c5a612 
|no-route|
Packit c5a612 
0
Packit c5a612 
|port-unreachable|
Packit c5a612 
1
Packit c5a612 
|host-unreachable|
Packit c5a612 
2
Packit c5a612 
|admin-prohibited|
Packit c5a612 
3
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
CONNTRACK TYPES
Packit c5a612 
~~~~~~~~~~~~~~~
Packit c5a612
Packit c5a612 
.overview of types used in ct expression and statement
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Name | Keyword |Size |Base type
Packit c5a612 
|conntrack state|
Packit c5a612 
ct_state|
Packit c5a612 
4 byte|
Packit c5a612 
bitmask
Packit c5a612 
|conntrack direction|
Packit c5a612 
ct_dir |
Packit c5a612 
8 bit|
Packit c5a612 
integer
Packit c5a612 
|conntrack status|
Packit c5a612 
ct_status|
Packit c5a612 
4 byte|
Packit c5a612 
bitmask
Packit c5a612 
|conntrack event bits|
Packit c5a612 
ct_event |
Packit c5a612 
4 byte |
Packit c5a612 
bitmask
Packit c5a612 
|conntrack label|
Packit c5a612 
ct_label |
Packit c5a612 
128 bit|
Packit c5a612 
bitmask
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
For each of the types above, keywords are available for convenience:
Packit c5a612
Packit c5a612 
.conntrack state (ct_state)
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Value
Packit c5a612 
|invalid|
Packit c5a612 
1
Packit c5a612 
|established|
Packit c5a612 
2
Packit c5a612 
|related|
Packit c5a612 
4
Packit c5a612 
|new|
Packit c5a612 
8
Packit c5a612 
|untracked|
Packit c5a612 
64
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
.conntrack direction (ct_dir)
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Value
Packit c5a612 
|original|
Packit c5a612 
0
Packit c5a612 
|reply|
Packit c5a612 
1
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
.conntrack status (ct_status)
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Value
Packit c5a612 
|expected|
Packit c5a612 
1
Packit c5a612 
|seen-reply|
Packit c5a612 
2
Packit c5a612 
|assured|
Packit c5a612 
4
Packit c5a612 
|confirmed|
Packit c5a612 
8
Packit c5a612 
|snat|
Packit c5a612 
16
Packit c5a612 
|dnat|
Packit c5a612 
32
Packit c5a612 
|dying|
Packit c5a612 
512
Packit c5a612 
|================
Packit c5a612
Packit c5a612 
.conntrack event bits (ct_event)
Packit c5a612 
[options="header"]
Packit c5a612 
|==================
Packit c5a612 
|Keyword| Value
Packit c5a612 
|new|
Packit c5a612 
1
Packit c5a612 
|related|
Packit c5a612 
2
Packit c5a612 
|destroy|
Packit c5a612 
4
Packit c5a612 
|reply|
Packit c5a612 
8
Packit c5a612 
|assured|
Packit c5a612 
16
Packit c5a612 
|protoinfo|
Packit c5a612 
32
Packit c5a612 
|helper|
Packit c5a612 
64
Packit c5a612 
|mark|
Packit c5a612 
128
Packit c5a612 
|seqadj|
Packit c5a612 
256
Packit c5a612 
|secmark|
Packit c5a612 
512
Packit c5a612 
|label|
Packit c5a612 
1024
Packit c5a612 
|==================
Packit c5a612
Packit c5a612 
Possible keywords for conntrack label type (ct_label) are read at runtime from /etc/connlabel.conf.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation